Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.

Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.

5.
Pentester disadvantagePentesters vs Bad guys• Pentesters have time/scope constraints != Bad guys• Pentesters have to write a report != Bad guysComplexity is increasingMore complexity = more time needed to test properlyCustomers are rarely willing to:“Pay for enough / reasonable testing time“A call for efficiency:• We must find vulns faster• We must be more efficient• .. or bad guys will find the vulns, not us

15.
OWTF CLI helpCall owtf without arguments to see the options available./owtf.py… -l <web/net/aux>: list available plugins in the plugin group (web, net or aux) -f: force plugin result overwrite (default is avoid overwrite) -i <yes/no> interactive: yes (default, more control) / no (script-friendly) -e <except plugin1,2,..> comma separated list of plugins to be ignored in the test -o <only plugin1,2,..> comma separated list of the only plugins to be used in the test -p (ip:)port setup an inbound proxy for manual site analysis -x ip:port send all owtf requests using the proxy for the given ip and port -s Do not do anything, simply simulate how plugins would run…

17.
Simulation modeSimulation mode “-s”:1) SIMULATES what OWTF will do (so it does not do it!):2) Is useful to check the effect of a command before running it# owtf.py -s https://accounts.google.com | more

19.
Plugin GroupsOWTF defines 3 major plugin groups (-g):• web (default) = targets are interpreted as URLs = web assessment only• net = targets are interpreted as hosts/network ranges = traditional network discovery and probing• aux = targets are NOT interpreted, it is up to the plugin/resource definition to decide what to do with the targetExample:The following would run all web plugins against http://demo.testfire.net./owtf.py -g web http://demo.testfire.net

21.
Plugin Types (-t)At least 48.5% (32 out of 66) of the tests in the OWASP Testing guide can belegally* performed at least partially without permission* Except in Spain, where visiting a page can be illegal ☺* This is only my interpretation and not that of my employer + might not apply to your country!

99.
Manual verification for password autocomplete (i.e. for the customer)Easy “your grandma can do it” test:1. Login2. Logout3. Click the browser Back button twice*4. Can you login again –without typing the login or password- by re- sending the login form? Can the user re-submit the login form via the back button? * Until the login form submissionOther sensitive fields: Pentester manual verification• Credit card fields• Password hint fields• Other

100.
Part 2 - Password Reset formsManually look at the questions / fields in the password reset form• Does it let you specify your email address?• Is it based on public info? (name, surname, etc)• Does it send an email to a potentially dead email address you can register? (i.e. hotmail.com)

114.
• Secure: not set= session cookie leaked= pwned• HttpOnly: not set = cookies stealable via JS• Domain: set properly• Expires: set reasonably• Path: set to the right /sub-application• 1 session cookie that works is enough ..

118.
Session ID:• In URL• In POST• In HTMLExample from the field:http://target.com/xxx/xyz.function?session_num=7785Look at unauthenticated cross-site requests:http://other-site.com/user=3&report=4Referer: site.comChange ids in application: (ids you have permission for!)http://site.com/view_doc=4

146.
Workshop exercise (continued)3) Verify using the “#” trick (payload not sent to target):http://demo.testfire.net/vulnerable.swf#?getUrlParentVar=javascript:alert(‘pwned!’)Click on “Get URL (parent)” for example above And you get: XSS ☺